Castle.Monorail.Framework.Adapters.ServerUtilityAdapter has a method
JavaScriptEscape. This is intended to sanitize strings for inclusion
in JavaScript string literals:
"';Malicious code!//" => "\';Malicious code!//"
However, it concentrates solely on JS in selfcontained files. A common
use case is including JS in HTML. JavaScriptEscape ignores this:
<% maliciousString = "I'm not terminated! </script>" %>
<script>
var str = '${Html.JavaScriptEscape(maliciousString)}';
</script>
Here, you get a JS error: unterminated string literal 'I\'m not
terminated!
The browser ignores any JS parsing rules and finds the </script> tag
in the string literal. The HTML document is no longer well-formed, but
most browsers will accept this silently. The JS parser can't cope with
an abruptly terminated script.
This can result in a denial of service, depending on where this string
is located.
The fix:
<% maliciousString = "I'm not terminated! </script>" %>
<script>
var str = '${Html.JavaScriptEscape(maliciousString).Replace(">", "\
\>")}';
</script>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Castle Project Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/castle-project-users?hl=en
-~----------~----~----~----~------~----~------~--~---
